Keypoints
- Trend Micro provided detection telemetry (Jan–Apr 2023) showing regional Grandoreiro activity to assist law enforcement analysis.
- Analysts extracted a list of bank-related strings from samples to monitor victim browsing and detect targeted banking pages.
- Using discovered strings and subdomains, Trend generated over 4,000 domain-generation algorithm (DGA) domains to pivot toward C2 infrastructure.
- Three active admin panels were identified with reachable HTTP endpoints/IPs (examples: 185.191.228[.]227/autorizar.php; 192.95.6[.]196/23112022new/autorizar.php; 51.77.193[.]20/eliteseguros/autorizar.php).
- Investigators were advised to inspect Dropbox storage where malicious attachments were hosted; uploader names (e.g., “RITA MENDES”, “Nohemi Valdes”) were noted for attribution leads.
- Trend analyzed Grandoreiro’s infection chain and demonstrated the use of VBScript (VBS) in the malicious routine.
MITRE Techniques
- [T1566] Phishing – Grandoreiro delivery relied on phishing emails and malicious attachments/links: ‘Grandoreiro spreads through phishing emails, malicious attachments, or links leading to fake websites.’
- [T1059.005] Command and Scripting Interpreter: Visual Basic – The malware used VBScript in its infection routine: ‘Trend provided an analysis of Grandoreiro’s utilization of VBScript (VBS) for its malicious routine.’
- [T1568] Dynamic Resolution – Grandoreiro used DGAs for C2 communications and Trend generated domains to pivot to servers: ‘Grandoreiro utilized domain generation algorithms (DGAs) for its C&C communications…more than 4,000 DGAs were generated.’
- [T1102] Web Service – Malicious attachments were hosted on Dropbox, which investigators were advised to inspect: ‘inspect the file storage Dropbox where the malicious email attachment was hosted.’
- [T1590] Search Open Websites/Domains – Trend used public tools (URLScan) to locate and inspect active admin panels and their locations: ‘Trend recommended inspecting three active admin panels with their respective locations.’
Indicators of Compromise
- [IP addresses / admin panels] C2/admin panel endpoints – 185.191.228[.]227/autorizar.php (US), 192.95.6[.]196/23112022new/autorizar.php (Canada), 51.77.193[.]20/eliteseguros/autorizar.php (France)
- [Generated domains / DGAs] DGA output used to pivot to C2 – more than 4,000 domains generated from sample strings (examples not listed), useful to enumerate C2 infrastructure
- [Cloud storage / uploader names] Malicious attachment hosting – Dropbox accounts with uploader names “RITA MENDES” and “Nohemi Valdes” (investigative leads, possibly pseudonyms)
- [Strings / banking targets] Browser-monitoring strings list – list of bank-related strings extracted from samples (refer to provided OperationGrandoreiroStrings.txt for full list)
Trend Micro’s technical procedure focused on extracting actionable artifacts from Grandoreiro samples, mapping victim targeting, and using those artifacts to discover infrastructure. They pulled telemetry (Jan–Apr 2023) to highlight affected regions, extracted bank-related strings from samples to detect when victims visited targeted banking pages, and used those strings and discovered subdomains to algorithmically generate over 4,000 potential DGA domains to locate C2 servers.
For infrastructure discovery, analysts inspected public-facing admin panels and identified multiple HTTP endpoints by IP and path; they recommended using URLScan and similar reconnaissance tools to capture screenshots and metadata of active panels. They also traced malicious email attachments to Dropbox accounts, documenting uploader names as potential attribution leads, and produced a string list (OperationGrandoreiroStrings.txt) to support monitoring and detection.
Finally, the technical analysis included an infection-chain breakdown showing Grandoreiro’s use of VBScript (VBS) to run the malicious routine and deploy the trojan, guiding investigators on script-level indicators and possible remediation points such as blocking VBS execution, monitoring for the extracted banking strings in browser windows, and sinkholing/generated DGA domains for C2 disruption.